Deploy MOSS Medium Farm Using Kerberos Authentication on Windows 2008 Server NLB

Architecture of the medium farm

image

Technorati Tags: MOSS 2007,Kerberos,Windwos 2008,NLB

Assumption

· You have basic knowledge of AD, MOSS and NLB

· Windows 2003 Domain name: contoso.com

· SQL cluster already installed

· 3 servers with Windows 2008 Server installed, Web1 and Web2 has 2 NICs installed and connected to different subnet

· You have a Domain Admin account

· 2 Web front servers (Web1 and Web2)

· 1 Index Server (Idx1)

· NLB SharePoint farm will be accessed as https://sharepoint

· Following domain accounts used for SharePoint have been created:

o Contoso\MOSSPortal

o Contoso\MOSSSearch

o Contoso\MOSSMysite

o Contoso\MOSSAdmin

o Contoso\MOSSSsp

Prepare Windows 2008 Servers

Make sure all 3 Windows 2008 servers have the following roles added:

· Application Server Foundation

· Web Server (IIS) Support

· Windows Process Activation Service Support (optional – useful if this server will host WCF service)

· Distributed Transactions (optional for MOSS but install it in case some WebPart code need to use distributed transaction)

clip_image004

Prepare Windows 2008 Server NLB Cluster

This is a very straight forward process and we need to make sure the NLB cluster is functioning before we install MOSS on it. Here is the step by step configuration process:

· Logon to Web1, make sure the both NIC configured correctly by pinging Web2 (this should resolve 172.168.8.57 in my case), also make sure you can ping Web2 using another IP (in my case it’s 192.168.10.2)

· Logon to Web2, make sure the both NIC configured correctly by pinging Web1 (this should resolve 172.168.8.56 in my case), also make sure you can ping Web1 using another IP (in my case it’s 192.168.10.1)

· Logon to Web1, from command window, type nlbmgr, right click the Network Load Balancing Clusters and select “New Cluster”, specify a host to connect to and select the interface with IP 172.16.8.56, select unicast because we have two NICs here (you need to use multicast if you have only one NIC), make sure to specify your cluster IP (in my case it’s 172.16.8.58) and full internet name as sharepoint.contoso.com

clip_image006

clip_image008

clip_image010

clip_image012

clip_image014

· Add Web2 into the cluster and you should see something similar to the following after NLB configured successfully

Test NLB Cluster by Creating an IIS Website

Before we install MOSS to Web1 and Web2, we need to make sure the NLB is functioning as expected and here are steps to do the test.

· Logon Web1

o Create a folder to host our test website C:\WebSites\SharePointPortalSite, create a test.htm file in this folder, enter <h1>Content on Web1</h> in test.htm

o Create a website using IIS manager point to the above created folder, make sure this website is bound to the cluster IP only and cluster name as host header (in my case it’s 172.16.8.58 and sharepoint)

clip_image016

o Select DefaultAppPool as application pool

· Logon Web2, repeat the above steps but edit the test.htm to change the content to “Content on Web2”

· Now logon to the index server, type https://sharepoint, you should see either “Content on Web1” or “Content on Web2”

· Keep testing by shutting down Web1 while Web2 is on

· Keep testing by shutting down Web2 while Web2 is on

We have successfully tested the NLB cluster. You might get authentication error if you access the https://sharepoint from either Web1 or Web2, if so, please following this link to see the workaround (Disableloopbackcheck): https://support.microsoft.com/default.aspx/kb/926642

Install MOSS and Configure Central Admin Site

· Install MOSS bits on all 3 servers in the following order:

o MOSS bits

o MOSS sp1 bits

o MOSS infrastructure update bits

· Logon Web1

o Run “SharePoint Products and Technologies Configuration Wizard” to create your farm

o Make sure to select “Central Admin” will run on this machine

· Logon Web2

o Run “SharePoint Products and Technologies Configuration Wizard” to join existing farm

o Make sure to select “Central Admin” will run on this machine

· Logon Idx1

o Run “SharePoint Products and Technologies Configuration Wizard” to join existing farm

o Make sure to select “Central Admin” will run on this machine

· Test on all 3 servers and make sure the Central Admin site comes up

Configure Index Server

· Logon to Index server

· Start Office SharePoint Server Search service

· Start Windows SharePoint Services Help Search services

clip_image018

Configure SSP

· Create an application https://sharepoint:5100 to host SSP, app pool identity: Contoso\MOSSMysite

· Create an application https://sharepoint:5200 to host MySite, app pool identity: Contoso\MOSSSsp

· Make sure to the correct index server, in my case IDX1

· Plan the index capacity and make sure allocate enough space to host index

· Create new SSP

· Configure Search Settings

· Installed 64bit IFilter on Index Server (https://www.foxitsoftware.com/pdf/ifilter/ )

Prepare for Kerberos Authentication

To make Kerberos authentication work with SharePoint portal https://sharepoint we need to make sure that both web servers are configured to be trusted for delegation and needed Service Principals are registered.

Launch Active Directory Users and Computers MMC, find the Web1 and Web2 server, and double click to go to the properties, at Delegation tab, select “Trust this computer for delegation to any service (Kerberos only)

clip_image020

Find the domain user account contoso\mossportal which will be used as identity of the application pool for our SharePoint portal site and double click to go to properties page, go to Delegation tab, select “Trust this user for delegation to any service (Kerberos only)

clip_image022

Here are commands we need to run on a machine that has SETSPN.exe (which is included in Windows 2003 Server media as Support.CAB):

Setspn –a http/sharepoint contoso\mossportal

Setspn –a http/sharepoint.contoso.com contoso\mossportal

Configure MOSS Portal Using Kerberos Authentication

· Logon to Web1, launch Central Admin site, create new application, make sure to check “using an existing IIS website” and select the website we tested the NLB in above steps, in my case, https://sharepoint

· Make sure to choose “Kerberos” as authentication provider and supply all other necessary information to create a web application

· Create the root site collection and select one site template meet your need

· Wait for few minutes to make sure the site provisioning job completed and changes will be made automatically on Web2 server

· Logon to a workstation, you should be able to access the SharePoint site by the NLB url https://sharepoint